The Intersection of Lead Generation and Consumer Privacy

Thursday, August 23, 2018

What is Lead Generation?

Lead generation is the process of identifying and cultivating individual consumers that are interested in purchasing a product or service. The goal of lead generation is to connect companies with those consumers so that “leads” can be converted into sales. A lead can be any consumer that has indicated interest – directly or indirectly – in buying a product or service by taking some action.

Consumers typically submit personal information online via a website form, or on a telemarketing call. Personal information can consist of, without limitation, a consumer’s name and contact information. It can also consist of more sensitive consumer information, like Social Security and bank account numbers.

Privacy is at the Heart of Lead Generation Regulation

As the lead generation industry has become more sophisticated and data-intensive, regulatory scrutiny has increased. Federal and state investigations and enforcement actions typically arise in the lending, postsecondary education and insurance industries and often involve at least some component of consumer privacy and data security.

From a regulatory perspective and because the product is personal data, lead generators’ collection and sharing of personal information increase the risk of misuse and harm to consumers. Lead sellers should consult with an experienced FTC defense lawyer and take reasonable precautions to ensure that lead buyers only use information for authorized and lawful purposes and that lead purchasers have a legitimate need for the information.

All those in the lead generation ecosystem are potentially liable for unfair or deceptive practices, including publishers, affiliate networks and product/service providers. Thus, vetting prospective buyers, understanding how information is being used and monitoring lead sources for deceptive claims are amongst the most important pieces of the compliance puzzle.

Privacy policies and related disclosures relating to who you are and how information will be used must also comply with applicable laws, regulations and best practices. Given that privacy and data security are at the heart of any compliant lead generation campaign, the recent onslaught of related privacy legislation necessarily ups the compliance ante.

Recent Privacy and Data Security Legislation

While the European Union’s General Data Protection Regulation has garnered the majority of privacy-related attention in 2018, lead generators and other digital marketers must not overlook domestic legislative developments. For example, Vermont’s recently enacted groundbreaking data broker disclosure and security legislation. In short, the legislation regulates data brokers that buy and sell personal information.

“Data broker” is defined under the Vermont law as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third-parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” “Brokered personal information” means one or more specifically enumerated data elements about a consumer, if categorized or organized for dissemination to third-parties.

Data brokers are required to register annually with the Vermont Attorney General. It also requires the implementation of appropriate written information security programs; the disclosure of data breaches and information pertaining to data collection, use and dissemination to third-parties; and the disclosure of opt-out protocols, amongst other information.

Colorado also made news earlier this year by enacting groundbreaking privacy and cybersecurity legislation. Covered entities are required to implement reasonable security procedures that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations. They are also required to dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third-parties and notify affected individuals of data breaches in what is the shortest time frame in the nation. Covered entities should consult with privacy compliance counsel about the Colorado law’s provisions, including the implementation of written information security programs, vendor management controls and breach incident response plans.

Most recently, California passed the California Consumer Privacy Act of 2018, with some GDPR-like features. Major provisions include, but are not limited to, the right to know what personal information has been collected, where it came from, how it is being used, whether it is being disseminated and who it is being disseminated to. Consumers have a right to opt-out of allowing a business to sell their personal information to third-parties. Consumers under 16 years of age have the right to not to have their personal information sold unless they or their parents first opt-in. The CaCPA also include the right to delete of personal information and to receive equal treatment regardless of whether privacy rights are exercised.

Pursuant to the CaCPA, companies must make certain disclosures to consumers when personal data is collected, including, but not limited to, the categories of personal information collected, the purposes for which personal information is collected and the categories of personal information that it disseminated in the preceding 12 months. Notably, lead generators that disseminate consumer data to third-parties will be required to disclose that practice and provide consumers the ability to opt-out by supplying a link entitled “Do Not Sell My Personal Information” on the website’s home page.

The CaCPA will take effect in January 2020 and applies to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50% or more of their annual revenues from selling California residents’ personal information.

Preventive Compliance Measures

Lead generation and consumer privacy-related legal compliance issues are inextricably intertwined. Now, more so than ever, both regulatory agencies and lawmakers expect digital marketers to make consumer privacy and data security a priority. Lead generators, lead aggregators and lead purchasers should ensure that such considerations are built into marketing compliance protocols.

Richard B. Newman is one of the premier FTC advertising compliance and regulatory defense attorneys in the United States. He regularly provides advertising counsel and represents clients in high-profile investigative and enforcement proceedings initiated by the Federal Trade Commission, state attorneys general, departments of consumer affairs, and other federal and state agencies with jurisdiction over advertising and marketing practices. Richard also handles transactional matters relating to the dissemination of national advertising campaigns, including the gamut of...

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.